potential virus

Monica Biswas mbiswas at EDC.ORG
Wed May 1 14:11:53 EDT 2002 


Hello-
I just received a call from a subscriber who received an email with a
potential virus.  The email appeared to come from the me (owner of the
YouthLearn discussion list).  After talking to our IT department, we
believe this might be the work of the KLEZ virus.  In the past week, there
has been a dramatic rise in instances of a virus named Klez. This mass
mailing virus has the ability to spoof the "From" address of an infected
email,  making an infected email appear to come from personA at yahoo.com,
when it actually came from personB at hotmail.com.  As a result, the virus
scanning servers send out virus alert notifications to innocent addresses.
More information about the virus is below.

**Please keep in mind that the YouthLearn discussion list will not send out
any attachments, so do not open them if they appear to be from YouthLearn!
**

Take care-
Monica

***************************
This is information from our IT dept:

*The Klez family of viruses make use of a security loop hole in Internet
Explorer (see MS article Incorrect MIME Header Can Cause IE to Execute
E-mail Attachment).  Machines can become infected by someone viewing an
infected html formatted message through the Internet Explorer browser, or
through Outlook or Outlook Express.  Outlook and Outlook Express are
vulnerable because they use IE to render an HTML formatted email.  Other
POP/IMAP mail clients such as Eudora may also be vulnerable if they use
Internet Explorer to render HTML formatted email.

*As mentioned above, the worm has the ability to spoof the From: field
(often set to an address found on the victim machine).

*The worm mails itself to email addresses in the Windows Address Book, plus
addresses extracted from files on the victim machine.

*The worm attempts to unload several processes (mostly anti-virus programs)
from memory, thus aiding in it's propagation.

*The worm is able to propagate over the network by copying itself to
network shares (assuming sufficient permissions exist).

*Thanks to the use of the exploit described above, simply opening or
previewing the message in a vulnerable mail client can result in infection
of the victim machine.

*A full description of the virus' characteristics and symptoms can be found
at http://vil.nai.com/vil/content/v_99455.htm

<p>* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
YouthLearn ( http://www.youthlearn.org ) brings together youth
professionals to share information on using technology to create
exciting learning environments. YouthLearn was created by the
Morino Institute ( http://www.morino.org ) and is now an Initiative
at Education Development Center ( http://www.edc.org ). We hope
this list assists you in your efforts to make a difference in the
lives and potential of young people.

Tips:
* To post a message to this group, send an email to
mailto:youthlearn at mail.edc.org

* To subscribe or unsubscribe from this list or
to receive YouthLearn in digest form, go to
http://www.youthlearn.org/join/subscribe.html

* To search the YouthLearn archives, go to
http://www.edc.org/hypermail/youthlearn/

* To contact the list facilitator, send an email to
mailto:wrivenburgh at edc.org

More information about the YouthLearn mailing list